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Abstract 

Constructive theories usually have interesting metamathematical prop- 
erties where explicit witnesses can be extracted from proofs of existential 
sentences. For relational theories, probably the most natural of these is 
the existence property, EP, sometimes referred to as the set existence prop- 
erty. This states that whenever (3x)<fi(x) is provable, there is a formula 
x{x) such that (3\x)<f>(x) A x( x ) is provable. It has been known since the 
80's that EP holds for some intuitionistic set theories and yet fails for 
IZF. Despite this, it has remained open until now whether EP holds for 
the most well known constructive set theory, CZF. In this paper we show 
that EP fails for CZF. 



1 Introduction 

1.1 Existence Properties 

Constructive theories are known for having metamathematical properties that 
are often not shared by stronger classical theories such as ZFC. The principles 
below are amongst the most well known of these properties. 

Constructive mathematicians choose to interpret disjunctions and existential 
quantifiers more strictly than classical mathematicians. For the constructive 
mathematician, in order to know the disjunction 4>V ip, one must either know 
<j) or know ?/). They therefore often expect their formal theories to have the 
following property: 

Definition 1.1. A theory, T has the disjunction property (DP) if whenever 
T h <p V ip, either T h or T h ip. 

In order to know (3x)(j){x), the constructive mathematician must be able to 
"construct" some witness a such that one knows 4>{a). We certainly know what 
it means to construct an element of w: we must be able to write down an actual 
natural number. We also know what it means to construct a function N — > N: 
we must be able to able to find (a number encoding) an algorithm whose graph 
is that function. Hence the constructive mathematician expects their formal 
theories to have the following properties. In the definitions below we assume 
that T has a constant uj such that T proves that uj is the natural numbers and 
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for each n a constant n such that T proves is empty and n + 1 is the successor 
of n. For any theory that could "reasonably" be called a set theory, there will 
be at least a conservative extension with this property. 

Definition 1.2. T has the numerical existence property (NEP) if whenever 
T h (3x s uj)<j){x), there is some natural n such that 

T h 0(n) 

Definition 1.3. T is closed under Church's Rule (CR) if whenever T h (Vse £ 
w)(3y £ u))<j){x, y), there is some natural e such that 

T h (Vx E w)0(x,{e}(a;)) 

(where {e}(x) denotes the result of applying the eth recursive function to x) 

What it means to construct mathematical objects in general is less clear, 
but a common interpretation of this is that they should at least be definable, in 
the sense below. 

Definition 1.4. T has the existence property (EP) if whenever T h (3x)<j>(x), 
there is some formula x( x ) that only has free variable x such that 

T h (B\x)<j>(x) A x{x) 
1.2 IZF, CST, and CZF 

If one wants a theory with some of the metamathematical properties appearing 
in section [Ol but has no other objections to classical mathematics, one may be 
satisfied with the theory IZF, which can be regarded as "ZF without excluded 
middle." 

Definition 1.5. IZF is the theory with (intuitionistic logic and) the following 
axioms: 

1. Extensionality 

2. Separation 

3. Pairing 

4. Union 

5. Infinity 

6. Power Set 

7. G-induction 

8. Collection 
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Collection is the following schema: 

(Vac e a)(3y)cf>(x,y) -> (3z)(Vx e a)(3y e «)^(aj,») 
Compare this with the schema (equivalent in ZF) Replacement: 

(Vx G a){3\y)<j)(x,y) -)• (3z)(Va; £ a)(3y e z)<j>{x,y) 

Definition 1.6. IZF# is the set theory with the axioms of IZF except that it 
has Replacement instead of Collection. 

IZF is extremely powerful. In fact Friedman showed in [B] that it has the 
same consistency strength as ZF. On the other hand, IZF has most of the 
existence properties we saw earlier. 

Often one may be doing mathematics constructively for philosophical rea- 
sons. One may be an intuitionist: one believes mathematical objects only ex- 
ist if they can be "mentally constructed." One may be a predicativist: one 
believes that a mathematical object cannot be constructed until it is defined 
predicatively - that is without quantifiers whose range includes the object being 
constructed. In this case one needs to ensure that the axioms of the set theory 
are constructively justified. There are (at least) two ways to go about this: 

1. Directly justify each axiom as "true" with philosophical reasoning 

2. Find another theory that already has a strong constructive foundation and 
interpret your set theory into it 

Myhill in [T!5] took the first approach, introducing the following theories. 
Both of these are over a three sorted language with sorts for numbers, sets, and 
partial functions. 

Definition 1.7. CST~ is the theory with (intuitionistic logic and) the following 
axioms: 

1. Extensionality (for sets) 

2. Bounded Separation (that is, separation for formulae where every quanti- 
fier is bounded) 

3. Pairing 

4. Union 

5. Exponentiation (that is, given any sets A and B there is a set containing 
precisely the functions / : A — » B) 

6. Replacement 

7. Axioms of Heyting Arithmetic for the number sort 

Definition 1.8. CST is the theory CST together with relativised dependent 
choices RDC. 
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In particular Myhill rejected the power set axiom in favour of the weaker 
exponentiation axiom because of the more predicative nature of exponentiation. 
He chose bounded separation over full separation for the same reason. 

CZF arose via the second approach in [I] where Aczel showed that set 
theory can be interpreted into the predicative Martin-L6f type theory. Aczel also 
dropped the three sorted approach of CST and defined the following theories 
over the same language as ZF. 

Definition 1.9. CZF is the theory with (intuitionistic logic and) the following 
axioms 

1. Extensionality 

2. Bounded Separation 

3. Pairing 

4. Union 

5. Strong Infinity 

6. Subset Collection: the schema 

(3c)(Vu)((Va; G a)(3y G b)?p(x,y,u) -> 

(3d G c)((Vx G a)(3y G d)ip(x,y,u) A (Vy G d)(3x G a)i/>(x,y,u))) 

7. G-induction 

8. Strong Collection: the schema 

(Vx G a)(3y)(j)(x, y) -> 

(3b)((Vx G a)(3y G b)<f>(x,y) A (Vy G b)(3x e a)<j>{x,y)) 

Subset collection implies exponentiation and is implied by power set (see 
[2]) and can be seen as an "artefact" of the interpretation of set theory into 
type theory. As an alternative to subset collection, one may instead assume the 
equivalent fullness axiom. Given sets A and B, define mv(A, B) to be the class 
of multivalued relations as 

mv(A, B) := {R C Ax B \ (Va G A) (3b G B)(a, b) e R} 

The fullness axiom can then be stated as follows 

(VA, B)(3C C mv(A, B))(VR)R G mv(A, B) -> (35 G C)(S C R) 

(For a more detailed discussion of the fullness axiom see [2].) 

One can see that the fullness axiom asserts the existence of sets for which 
there is no apparent definition. We will prove that for the case A = N N , B = N, 
there is no definable C. 
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CZF is stronger than CST in two respects: replacement has been strength- 
ened to strong collection and exponentiation has been strengthened to subset 
collection. 

CZF is regarded today as the standard set theory for formalising construc- 
tive mathematics. This is because it is constructively valid because of its in- 
terpretation into type theory and yet can be used to prove mathematically 
interesting results that do not hold in weaker theories. For example, in |15) 
Lubarsky and Rathjen showed that the theory CZFg that has only exponenti- 
ation in place of subset collection does not prove that the Dedekind reals form 
a set. 

1.3 Existence Properties of these Set Theories 

The properties DP, NEP, and CR work extremely well as characterisations of 
constructive formal theories. None can hold for consistent recursively axioma- 
tisable theories that have excluded middle, but on the other hand they hold for 
a rich variety of constructive theories. 

In [18] Friedman and Myhill showed that IZF/? (that is, IZF with replace- 
ment instead of collection), has the existence property. In 19., Myhill showed 
the set theory CST - also has EP and also that both CST" and CST have 
DP and NEP, leaving open whether CST has EP. In [8] Friedman and Scedrov 
showed that IZF;? + RDC has EP, establishing that even set theories with 
choice principles can have EP. 

Beeson then developed g-realizability, allowing him to show in [3] that NEP, 
DP, and CR hold for IZF and IZF+RDC. Rathjen developed realizability with 
truth based partly on Beeson's methods to show in [20] and [22T that DP, NEP, 
CR and other properties hold for a wide variety of intuitionistic set theories 
including CZF, CZF + REA, IZF, IZF + REA with any combination of the 
axioms MP, AC W , DC, RDC and PAx. 

One can see that EP does not work so well as a characterisation of con- 
structive theories as the other properties we have seen. As remarked in [20] EP 
can hold for classical theories, even extensions of ZFC. On the other hand, 
Friedman and Scedrov showed in [!J| that IZF does not have EP. 

Friedman and Scedrov's proof that EP fails for IZF makes use of full sep- 
aration and collection. Since IZF^ does have EP, it might seem reasonable to 
think that collection is responsible for the failure of EP and the use of full sep- 
aration is only incidental. However due to recent work by Rathjen, this turns 
out not to be the case. Set theories with collection but only bounded separation 
can have EP. 

In [24] Rathjen defined the following two variations on EP, 
Definition 1.10. 1. T has the weak existence property, wEP, if whenever 

T h (3x)(f>(x) 
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there is some formula x( x ) having at most the free variable x such that 

T h (3lx) X (x) 

T h (Vx)(x(a;) -> (3«)u G x) 

T h (Va;)(x(a;) -»• (Vu G x)<f)(u)) 

2. T has the uniform weak existence property, uwEP, if whenever 

T h (Vu)(3x)^(it,^) 

there is some formula x(w,x) having at most the free variables u,x such 
that 

T h (\/u){3lx)x(u,x) 

T h (Vu)(Va;)(x(M,x) -4 (3z)z G x) 

T h (Vu)(Vx)(x(w, x) — >• Vz G x<t>{u,z)) 

As remarked in [21], by analysing Friedman and Scedrov's proof in [5] one 
can see that IZF doesn't even have wEP. On the other hand any extension of 
ZF has uwEP - consider V a where a is the least ordinal such that V a contains 
a witness. 

In jJJ], Rathjen refers to the theories CZF~, CZF^ and CZF-p. CZF~ 
is CZF without subset collection. CZFg is CZF~ with the exponentiation 
axiom. CZF-p is CZF together with the power set axiom. All three of these 
theories have strong collection, and yet Rathjen shows in [24] that all three have 
uwEP (and hence wEP). In that paper he refers to a paper in preparation where 
he will show by using this result together with ordinal analysis that these three 
theories in fact have EP. 

CZF77, which has EP, is simply IZF with bounded separation in place of full 
separation, so the use of full separation in Friedman and Scedrov's proof must 
be essential. Furthermore, CZF lies between CZFg and CZF-p, two theories 
both satisfying EP and uwEP. 

However, due to problems defining witnesses for the fullness axiom, these 
proofs do not apply to CZF itself. Rathjen goes so far as to conjecture in [21] 
that CZF does not even have wEP. In this paper we prove that this conjecture 
is correct. CZF does not have wEP, and the fullness axiom is responsible. 

1.4 Peas 

When defining realizability, one usually starts with a partial combinatory alge- 
bra (pea). 

Definition 1.11. A pea, A is a set A together with a partial binary operation, 
■ referred to as application, and distinguished elements, s and k such that, 
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1. s ^ k 

2. for all a, b £ A, kab ~ a 

3. for all a, b S -4, sa J,, safe J, 

4. for all a, &, c G A, sabc ~ ac(bc) 

Recall the following from, for example [27J or [3J. 
Definition 1.12. Given a pea, .4., we define terms over .A inductively as follows 

1. There is a countable supply of free variables, Xi, each of which is a term. 

2. Each element, a of is a term. 

3. If s and t are terms, then the ordered pair, (s,t) is also a term. We write 
this as (s.t). 

We say that a term is closed if it contains no free variables. 

Definition 1.13. We define inductively what it means for a closed term, s, to 
denote a G A 

1. If a' G then a' denotes a if and only if a = a' 

2. (s'.s") denotes a if and only if there are a', a" G A such that s' denotes 
a', s" denotes a", and a'. a" ~ a. 

If t is a closed term and there is an a G A such that t denotes a, we write 

If t(xi, . . . , x n ) is an open term with free variables amongst x%, . . . , x n , we 
write t -I to mean that for every ai, . . . , a n G A, t{a\, . . . , a n ) J,. 

Proposition 1.14. For any term, t(xi, . . . , x n ), over A with free variables 
X\, . . . , x n there is a term t* such that for all a%,. . . , a n G A, tax . . . a n -i I and 

t*ax . . .a n ~ i(ai,, . . . , a„) 

We will write t* as (\x%, . . . , x n )<(a;i, . . . , x n ). 

Proposition 1.15. For any A there are y,y' G A such that for all f G A, 

1. yf * f(yf) 

2. y'f I and for all e G A, (y' f)e ~ f(y'f)e 

One can use this to construct pairing and projection operators that we will 
refer to as p, po and pi. We will write (e)^ to mean pie for i = 0, 1. One 
can further define numerals that we will denote n for each n G u). All recursive 
functions can then be represented. See chapter 6 of [3] or chapter 1 of [27] for 
details. 
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1.5 The Model V(A) 

Realizability is one of the main tools in the study of intuitionistic theories and 
was used for many well known results including those mentioned in section 11.31 

This variant of realizability has its roots in [T3] , where Kriesel and Trolestra 
adapted Kleene's realizability from [T3] to work with second order arithmetic. 
This was later adapted and used by Friedman in 7 , by Myhill in [18] and 
[T§] and by Beeson in [3] and [3]. In [TB] and [IT], McCarty adapted Beeson's 
definition to work for set theories with extensionality. The definition below is 
the variation introduced by Rathjen in |22j , where bounded quantifiers are kept 
separate in the definition. 

We start by constructing the class V(A) inductively as follows 

V(A) a+1 = V(\A\ x V(A) a ) 

V{A) X = \JV(A) 

p<\ 

V(A) = |J V(A) a 

a£On 

We then introduce a relation lh between A and formulae with parameters 
over V(A). The first two lines of the definition are defined simultaneously by 
G-induction and the remaining lines allow one to inductively define realizability 
for any sentence, <fi. 



e lh a G b 


iff 


(3((e) ,c) G6)(e)ilh a = c 


e lh a = 6 


iff 


(V(/, c) G a)(e) f lh c G b A (V(/, c) G 6)(e)i/ lh c G a 


e lh <f> A ip 


iff 


(e) o lh0A(e) 1 lh V 


elh (f>Vi() 


iff 


((e) = A (e)i lh 0) V ((e) = 1 A (e)i lh V) 


e lh <f> — s- -0 


iff 


/ lh 4> implies e.f lh -0 


e lh (3x G a)4>(x) 


iff 


(3((e) ,6) 6a)(e), 11-0(6) 


e lh (Vx G a)4>{x) 


iff 


(V(/,6) Ga)e./lh0(6) 


e lh (3x)cj>(x) 


iff 


(3a G V r (^))e lh 0(a) 


e lh (Vx)(/)(x) 


iff 


(Va G V r (^))e lh 0(a) 


e lh -.</> 


iff 





If (/) has free variables amongst x±, . . . ,x n , we write e lh to mean e lh 
(Vxi, . . . , x n )4> (the universal closure of </)). 

We write V(A) \= <f> to mean that there is e G .4 such that e lh (j>. 

This structure has been defined so that we get soundness for IZF in the 
following sense. 

Theorem 1.16. Suppose that <j> is a theorem of IZF. Then, V(A) \= <t>- 
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Recall from chapter 5 of [TB] that V(A) has certain standard representations 
of the naturals and Baire space. 
Define 

n = \(m,fn) \ m < n} 
w = {(ZL?^) I n € w } 

Then V(.A) has a realizer for the statement that uj is the set of natural numbers. 

Suppose that / G A satisfies that for all n 6 uj, there exists m £ uj such that 
fn = m. Then write 

7= {(R,(n,fn)) \ n E u} 

(where we write (, ) for V(.A)'s internal notion of ordered pair). 

There is a realizer in V(A) for the statement that the set of functions from 
uj to uj is precisely 

{(/,/) | (yneu)(3meu)fn = m} 

2 Outline of the Proof 

We will show that wEP fails for CZF. We do this by first showing that for any 
pea, A, we can construct three realizability models, V(A), Vq P (A), and Vq(A). 
V(A) is the usual realizability model of IZF from section 11.51 Vq P (.A) and 
y o r (^l) are based on injectively presented sets and symmetric sets respectively 
and will be described in detail below. 

The heart of the proof is that VJj ip (.A) and V^ r (^4) are essentially different 
models and yet both can be embedded into V(.A) in such a way that realizability 
is preserved by the embedding. VJj ip (.A) and Vq(A) must both provide witnesses 
of existential statements that are still valid in V(A). Definability will imply 
that these witnesses are realizably equal in V(A). 

The final step of the proof is to construct a particular pea, T, based on term 
models and normal filter T to show wEP fails. The cause of this failure will be 
a simple instance of the fullness axiom. 

3 The Model Vf(A) 
3.1 Definitions 

A standard technique for showing the independence of choice principles in clas- 
sical set theories is by using symmetric models. These can be seen as boolean 
valued models where every element is "symmetric." See, for example [5], [11], 
[TO] , or [14] for a detailed description. We will construct a realizability model, 
y o r (^4) based on the same ideas. 

We start by defining the model Vi(A), as follows. 
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V 1 (A)a+l 



V(2 x x V l {A) a ) 

U v Mp 



(3<\ 



U w) 



a£On 



One can think of Vi(.4.) as things from V(A) with an extra label from 2. 
Hence given any element of Vi(^4) we can think of it as an element of V(A) by 
ignoring this extra label. Explicitly we define this recursively as follows. Given 



We write e hi <f> to mean that e lh <f> in V(A) when each parameter, a, in 
has been replaced by a°. 

Definition 3.1. Let A be a pea. We say that a is an automorphism of A if it 
is a bijection A — V A that such that both a and a -1 preserve application and 
fix s and k. 

Given an automorphism, a, of A, we can lift this inductively to Vi(-4) as 
follows: 

a(a) = {(0, a(e), a(b)) \ (0, e, b) e a} U {(1, a(e), a(b)) \ (1, e, 6) e a} 

So this is simply the natural action of the automorphism group on Vi(A). 

We assume that the pairing and projection elements and numerals that ap- 
pear in the definition of realizability over V(A) are defined using s and k and 
therefore fixed by any automorphism. Hence we get 

Proposition 3.2. Suppose that a is an automorphism of A and 

e lh 4> 

Then if (f> a is the result of replacing any parameters c in (f) by a(c), we have 

a(e) lh (f> a 

Recall that normal filters are defined as follows 

Definition 3.3. Let G be a group. Then a set of subgroups, L, is a normal 
filter on G if 

1. Ger 

2. Hef and H is a subgroup of H' implies that H' e L 



a e Vi(A) 



O 



{(e,b°) | (s,e,b) ea} 



a 
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3. H,H' e T implies that H n H' G T 

4. JJ 6 T and jeG implies gHg^ 1 G T 

Definition 3.4. Given a normal filter, T, we define the class Vo r (-4) C Vifyl), 
of partly symmetric sets inductively as follows. 

Given a G Vi(„4), we say a G Vo r (»4) if Stabc(a) G T and for every (0, e, 6) G a 
we have b G V^ r (.4). 

In other words, a, has a "large" stabiliser and every element that has been 
labelled with a is also partly symmetric. Note that this property is preserved 
by automorphisms, and one can easily show the following. 

Proposition 3.5. If a G Vi(.A) and a G G is such that a(a) = a, then a(a°) = 
a". 

In particular if we take an element of Vq(A), then it still has Stabc(a) £ T 
when we consider it as an element of V(A). 

We can now define realizability on Vq{A) as follows 



e lh a G b 


iff 


(3(0,(e) ,c) eb) (e)i lh a = c 


e 1 ho a = b 


iff 


(V(0,/,c) Ga)(e) .f lh cG6A 






(V(0, /, c) G 6)(e)i/ lh c G a A e Ihi a = 


e lh A ip 


iff 


(e) lh 0A(e)i lh V 


e lh 0V-0 


iff 


((e) - A (e)i lh 0) V ((e) = 1 A (e)i lh %l>) 


e lh — > V 


iff 


f lh implies e.f lh and e Ihi — > ip 


e Ihg (3a; G a)4>(x) 


iff 


(3(0,(e) ,6)Ga)(e) 1 lh 0(6) 


e Iho (Va; G a)4>(x) 


iff 


(V(0, /, 6) G a)e.f lh 0(6) and e Ihi (Va; G a)0(a;) 


e lh (3a;)0(a;) 


iff 


(3a G V^{A))e lh 0(a) 


e lh (Vx)<f)(x) 


iff 


(Va G y r (-4)) e Ir-o 0(a) A (Va G Vi(.A))e Ihi 0(a) 


e Iho 


iff 


if / lb 



We write Vo r (-4) |= to mean that there is some e G A such that e lh 0. 
We clearly have the following proposition. 

Proposition 3.6. Suppose that a is an automorphism and 

e lh 

Then, writing 0" for the formula obtained by replacing any parameters, a, in 
by a(a), 

a(e) lh a 
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The definition above can be seen as a combination of realizability and Kripke 
models of intuitionistic logic. See for example [26] for a description of Kripke 
models. Like in [3], the poset used in this model would have just two elements. 
On this basis, one should not be surprised by the following proposition. 

Proposition 3.7. Suppose that e Iho <fi. Then also e I h i </>. 

Proof. We show this by induction on formulae, <f>. One can see that the def- 
inition of Iho has been carefully chosen so that we can perform the induction 
at =, universal quantifiers, implication, and negation. One can check that the 
induction holds at conjunction, disjunction, G, and existential quantifiers. □ 

3.2 Soundness Theorems 

We now need to show soundness for intuitionistic logic and the axioms of CZF. 
Throughout the soundness theorems, the following proposition is useful. 

Proposition 3.8. 1. To show e Iho (Va^i) . . . (\/x n )(f>(%i, . . . , x n ) it is suffi- 
cient to show that for all a\, . . . ,a n G Vo r (.4), 

e lh 0(ai, . . . ,a„) 

and for all oi, . . . ,a n G V\{A), 

e Ihi (f>(ai, . . . ,a„) 

2. To show e Iho <f>\ — > {4>2 —>(... — > (<j> n —> ^p) ■ ■ ■), it is sufficient to show 
that for any e\, . . . , e n -i G A, eei ■ ■ ■ e n -i 4- and that whenever ej Iho 4>i 
for each i = 1, . . . , n we have 

eei . . . e„ lh ip 
and whenever e^ Ihi <pi for each i = 1, . . . , n we have 

eei . . . e n Ihi ip 

Proof. Both parts can be proved by induction on n. □ 

3.3 First Order Logic 

Proposition 3.9. ^(.4) satisfies soundness for first order logic. 

Explicitly this means that for every axiom <j) of the intuitionistic predicate 
calculus, Vo r (.A) |= cf), and for every inference rule, 1 , if Vo r (^l) |= (j>% for 
i = l,...,n, then Vg r (^l) h^ ip. 

The reader may wish to compare the following with the proofs for soundness 
of intuitionistic logic in realizability and Kripke models in, for example, [26] . 
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3.3.1 Axioms 

The axioms of intuitionistic predicate calculus are as follows. 



1. 


-> (ip ->■ 0) 




2. 


(6^(ib-+ xi) ((0 -> 


■ ip) ^ (<p -> x)) 


3. 


-> (ip -> A 




A 

■ L t. 


A -0 ->• 




•5. 


(pAip^ijj 




G. 






7. 


ip -> V -0 




8. 


(0 v V) -»• ((0 -»• V) -»• ( 


<P -> x)) 


9. 


(0 -> ifr) -> ((0 -> i^) - 


^0) 


10. 


-4 (-10 — !> Ip) 




11. 


(\/x)(p(x) — > 4>{y), where 


y is free for x in <p(x) 


12. 


<p(y) — > (3a;)0(a;), where y is free for x in 0(x) 



As an example we will prove 2 and 11. These demonstrate the main ideas 
that are used for the remaining axioms. 

2 We claim that 

s Iho (0 ->• (-0 -> x)) -> ((0 -> V>) (0 X)) 

By proposition 13.81 it is enough to show that whenever e Iho — » (ip — > x) 

/ Iho — ?> "0 an d 5 1 1 o we have 

se/g lh x 

and whenever e Ihi — s* (^ — >• \) f 1 1 — a_ — > "0 an d <? Ihi we have 

se/5 Ihi x 

However, se/g = eg(fg), so one can easily check that this is the case. (We also 
have that by definition sef J, for all e and /.) 
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11 Let I := skk be the identity. Then we claim 

/ Iho (Vx)^(x) -> 0(y) 

What we actually mean is the universal closure of this axiom. Without loss 
of generality we can assume the universal closure is (ignoring any additional 
parameters) the following: 

/Iho (Vy)((Vx)0(x) -»■ 0(2/)) 

Expanding this out, this means that for 6 G V r (-4), 

/ ih (y x )<f>(x) -> 0(6) 

and for 6 g 

/ II-! (Vx)0(x) -> 0(6) 
So suppose that e lh (Vx)0(x) and 6 £ V^ r („4). Then in particular, 

e lh 0(6) 

If e II-! (Vx)0(x), then 

e lh 0(6) 

So we have shown 

/ lh (Vx)0(x) -> 0(6) 
However, we can similarly show that for 6 e V(A) 

I Ihi (Vx)0(x) -> 0(6) 

So we can deduce 

/Iho (Vy)((Vx)0(x) 00,)) 

as required. 

3.3.2 Inference Rules 

The inference rules of IPL are 



2- where x^V-W 

3- pgffefe where * i FV ^ 
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1 (Modus Ponens) Note first that we can assume that 

e Iho {Vx 1 ,... 7 x n )(j)(x 1 ,... 7 x n ) 

f lh (Vzi, . . . ,x n )<j)(xi, . . . ,x n ) -> V>(zi, . . . ,x n ) 

where the free variables for <f) and ip are amongst x\, . . . , x n . 
Then for any ai,...,a n G Vq(A), 

e lh <j>(ai,...,a n ) 

f lh (p(ai, . . . ,a n ) ->■ V(ai, • • • ,a n ) 

and hence e.f lh 0(ai, • • • , a„). Similarly, for any a\, . . . ,a n 6 Vi(A), e.f Ihi 
tp(ai, . . . , a n ). So we have shown 

e.f lh (Vxi, . . .,x n )i>(xi,. ..,x n ) 

2 We show that if e lh "0 — >• </>{x), then 

e lh ip -> (Var)0(ar) 

So suppose that e Iho ?/> — ► 0(x). Then, more explicitly (ignoring any additional 
free variables) this is 

elh (Vz)(V> -»• 
In particular, if a G Vo r (-4), then 

e lh V — > 0( a ) 

and if a e V(.A) then 

e Ihi V -> </>(a) 

Now suppose that / lh ip. We need to show that for any a G Vo r („4), e./ Ih 0(a) 
and for any a G V\{A), e.f Ihi 0(a). But this is clear from the above, so we can 
deduce 

e.f lh (Vx)0(x) 
We can similarly show that if / Ihi ip, then 

e.f Ih (Vx)0(x) 

and so 

e lh -> (Vx)0(x) 
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3 Wc claim that if e II— o <f>(x) — > tp, then e I ho (3x)<p(x) — > First note as 
before, that what we actually assume is that 

elh (Vx)(^(x) -> V) 

Now suppose that / lh (3x)^(a;). Then there is a e ^o r (-4.) such that / lh 4>{a). 
But we know from the above that 

e I ho (f)(a) — > ip 

And so, 

e.f I h V 

We similarly know that if / lh x (3x)(f>(x), then e./ Ih x ?/;. So we can deduce 

e I h (3x)cj){x) ->■ -0 

3.3.3 Axioms of Equality 

In the following, we will need to work inductively on the definition of Vq(A), 
so it will be useful to have a notion of rank that we can induct on. 

Definition 3.10. The rank, rank(a) of a e V\(A) is defined inductively as 
follows: 

rank(a) = (J (rank(fe) + 1) 

(s,e,b)£a 

Proposition 3.11. Suppose that a,b E V\(A). If V\{A) \= a = b, then 
rank(a) = rank(fc). 

Proof. We show by induction that for any a, for any a, 6, if V\(A) \= a = b and 
rank(a) = a, then rank(6) = a. 

Let (e,c) e a. Then there is (e',c') G b such that Vi(.4) |= c = c'. Then 
rank(c) e a and so we may assume by induction that rank(c) = rank(c'), and 
so 

rank(c) + 1 = rank(c') + 1 
< rank(fe) 

Hence rank(a) C rank(fe). If (e, c) £ 6, then there is some (e',c') e a such 
that Vi(.A) |= c = c'. Then wc must also have Vi(^4.) \= c' = c and we know 
that rank(c') € a. So rank(c) = rank(c'). By the same reasoning as above 
rank(fe) C rank(a) and so rank(a) = rank(fr). □ 

Proposition 3.12. One can construct realizers i r , i s , i t , io, ii such that 

1. i r lh (Vx)x = x 

2. i s lh {Vx,y)x = y^y = x 
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3. i t Iho (Vx, y, z)(x = y -> (y = z ->■ x = z)) 
^. i Iho (Vx, y, z)(x = j4(i/6z->iez)) 
5. ii Iho (Vx, y, z)(x = !/->(zei-)ze y)) 

Furthermore, for each formula (without parameters) , 4>(x, z±, . . . , z n ), there 
is ifjj such that 

i<f> IHo x = y -> (0(x, zi, . . . , z„) -> </>(y, z 1( . . . , z n )) 

Proof. We take these realizers from the proof of theorem 6.3 in [IB] and check 
that they still work in this context. 

Define i r from the fixed point theorem so that 

((ir)o/)o = / 
((ir)o/)l = ir 
((ir)l/)o = / 
((lr)l/)l = ir 

In order to show i r Iho (Vx)x = x, by proposition 13.81 what we need to show 

is 

1. for every a S Vq(A), i r Iho a = a 

2. for every a e Vi(A), i r Ihi a = a 

However note that the second of these conditions is basically the same as the 
statement i r lh a — a in V(A). Hence we only have to check the first condition. 

Furthermore, since we already know that for every a £ Vo r (.A), i r Ihi a = a, 
all we have to check is the following: 

V(0,/,6)Go(i r )o Iho&ea 

and 

V(0,/,6)Ga(ir)i lh &6 a 

We show by induction that these conditions hold for every a G Vq(A). 

Suppose that (0, /, b) G a. Then since this has been labelled with 0, we know 
that b is also partly symmetric. Also b is of strictly lower rank, so we can apply 
induction here and the above arguments to get 

ir Iho b = b 

However, recall that we defined i r using the fixed point theorem so that for 
all/, 
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((ir) /)0 = / 
((ir)o/)l = ir 



(and the same equations for (i r )i). 
Hence i r Iho a — a as required. 

The proof that i s works as required is trivial and still holds here. 

i t , io and ii are also the same as in [16] and the proofs that they are as 
required can be similarly adapted to this context. 

The 10 are constructed by induction on the construction of <f>. We will ex- 
plicitly show how to do this for unbounded universal quantifiers and implication 
since these contain the main ideas for the rest of the induction. 

We first show how to construct i^-^. 

Suppose that a,b,c £ Vq(A), e Iho a — b and / 1 1 — q (f>(a,c) —> i/)(a,c). 
Suppose further that 

9 lb <P{b, c) 

Then 

V(i s e)g Iho <A(a,c) 

and so 

/(i^(i s e).g) lh ip(a,c) 

and finally 

V e (/Mis e )3)) lh o ip(b,c) 
Hence we can apply similar reasoning for Ihi and for o,i,c£ Vi(A) and use 
proposition 13.81 to show that we can take i^-^/i to be 

i^-H/, := (Xx,y,z).i^x(y(i lj> (i s x)z)) 

For unbounded universal quantifiers, we show that we can take i(\/z)0(a;.z) := 
' l 4>(x,z)- Suppose that 

i<f>(x,z) I l"o (to) (a: = y -> ((j)(x, z) -> (j>(y, z))) 

and suppose that for a, b G Vq (A), e Iho a = b and 

/lh (Vz)0(a,z) 

Then for all c G V" r (-4), 

/ lh (f>(a,c) 

and so 

U{x,z)ef I Ho <H&,c) 
One can check the corresponding case for c G Vj, («4) to get 

U(x,z)ef lh (to)<MM) 
as required. □ 
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Proposition 3.13. Bounded and unbounded quantifiers agree. That is, we can 
find realizers for the following statements. 

1. (Vx £ a)cj>(x) -> (Vx)(a! ea-J (f>(x)) 

2. (Vx)(x £a-> 4>{x)) -> (Vx £ a)0(x) 
5. (3x e a)0 -> (3a;) (x £ a A 0(x)) 

^. (3x)(x e a A </>(x)) -> (3x £ a)4>{x) 

Proof. The proof of theorem 4.3 from [35] can easily be adapted by applying 
proposition 13.81 where necessary. □ 

The following help illustrate the relation between realizability in Vq (A) and 
V(A). 

Definition 3.14. We say that a £ Vq(A) is (completely) symmetric if every 
element of a is of the form 

(0,e,b) 

where b is completely symmetric. (This is an inductive definition). 

Proposition 3.15. Suppose that is a bounded formula, all of whose parame- 
ters are completely symmetric. Then 

e IHo iff e II- 1 cj) 

Proof. When all parameters are completely symmetric the two definitions of 
realizability agree for everything except unbounded quantifiers. □ 

We now move on to the proof of soundness for the axioms of set theory. To 
make things easier, we assume a background universe of ZFC, and show the 
soundness of IZF. 

Theorem 3.16. V^ r („4) satisfies the axioms o/IZF. 

We first deal with what are sometimes referred to as "set existence axioms." 
That is, axioms of the form 

(Vzi, . . . , z n )(Vx)(3y)(p(x, y,zi,...,z n ) 

where the free variables of <f> are amongst x, y, zi, . . . , z n . For these axioms we 
can apply proposition 13.81 to show that it is sufficient to find e such that for 
every a, c\, . . . , c„ £ V\{A), there is b £ Vi(A) such that 

e Ihi <f)(a, b,cx, . . . , c„) 

and for every a, c\, . . . , c„ £ Vq(A) there is b £ V^(A) such that 

e I h 4>{a, 6,ci,...,c„) 

However, the first of these statements follows from the soundness theorem 
for V(A). Hence we only have to check the second of these conditions. 
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Separation By the above reasoning, what we need to show is the following 
statement: 

Suppose that e is the usual realizer for separation from |16j or |22j . A is a 
partly symmetric set, and <j)(x) is a formula with partly symmetric parameters. 
Then there is a partly symmetric set, S, such that 

e Iho ((Vs G A)0(a?) 4 i £ S) A ((Vx G S)x e A A <f>(x)) 
We construct this S as follows: 

50 = {(0, pfg, a) | (0, /, a) £ A A 5 lh 0(a)} 

51 = {(1, p/a, a) | (s, /, a) G 4 A IK 0(a)} 
5 = So U Si 

Suppose that H is the intersection of stabilisers of A and all the parameters 
of cj). Note that H G T. 

Let a € H, and (0,pfg,a) G So- Then (0, /, a) G A and g Iho 0(a)- Since 
a e ff, we know that (0, a(/), a(a)) G A and a(a) Iho 0(a(a)). Hence we also 
have (0, a(pfg), a(a)) G So- One can show the same result for Si and hence get 
Stab G (S) G T. Note further that if (0,pfg,a) G S then also (0,f,a) G A and 
so a is partly symmetric. Wc can now deduce that S is partly symmetric. 

One can easily check that the usual realizer does still work for S. 

Power Set As before, note that we only have to check power set for partly 
symmetric sets. Hence let A G Vq(A). 
Let 

P = {(0, e, 6) I 6 G Vq(A), e lh 6 C A} 
Pi = {(l,e,b) I b G Vi(A),e lh x 6 C A} 
P = PoUPi 

Note that by the arguments in [16] , both Po and Pi are sets. Further note 
that if e Iho b C A and a G Stabc(^) then a(e) Iho a(6) C A, and similarly if 
e I hi b C A, and we have ensured that any elements of P labelled with are 
partly symmetric. Hence P is partly symmetric. 

One can easily show that the realizer in [16] still works here. 

Union We assume that we are given a set A G Vq(A.) and construct a set to 
show the union axiom. Since we already have full separation, we only have to 
construct a U such that we have a realizer for (Va; G A)(Vy G x)y G t/. 
Let 

= {(0, 0, 6} I (0, e, c) G A, (0, /, 6) G c} U {(1, 0, 6) | (s, e, c) G A, (s', /, 6) G c} 
Note that 

(k(k( P 0i r ))) lh (Vx G A)(Vy G 1)1/ G (7 
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Pair Given a, b £ (-4.) , consider the set 

P = {(0,0, a), (0,1, 6}} 

We can easily see that 

e I h (Vx)(x 6Pf>(i = aVi = ())) 

Infinity We check that the proof in [22] still holds here. We use the same ui 
as in section [L5l We write _L„ for the formula (Vx £ u)_L, and write SC(x,y) 
for y = x U {x} (expressed as a bounded formula) . 

Note first that we can apply proposition 13 . 1 5l and the soundness theorem in 
[2"2"] to reduce the problem to finding a realizer for 

(Vu)((_U V (3u £ Q)SC(u,v)) ^v£Cu) 

Since we can clearly find a realizer to show that the empty set is in u>, this 
is reduced to finding a realizer for 

(\/v){3u £ iZ>)SC(u,v) ->• v £u>) 

Hence we assume that there is a £ V r (A) with e lh (Bit £ ui)SC(u,a). So 
there must be some n such that (e)o = n and (e)i Iho SC(n, a). 

One can clearly find a realizer for SC(n,n + 1) and hence a realizer, us- 
ing the soundness of extensionality (once we have checked this) for SC(u, v) A 
SC(u,v r ) — > v — v' . We can use these to construct a realizer for a £ ZD, as 
required. 

Collection Assume 

elh (Vz £ A)(3y)cf>(x,y) 

where is a formula with all parameters partly symmetric. 

By collection in the background universe, we can find a Co such that when- 
ever (0,/, a) £ A, there is (0,0, c) £ Co such that c is partly symmetric and 
e.f lh <j){a,c). Note that C := C (~l {0} x {0} x Vo r (^) still has this prop- 
erty, but is an element of Vi(A) such that for every (0,g, c) £ C , c is partly 
symmetric. 

Similarly, there is a C[ , such that every element of C[ is of the form (1, 0, c) 
with c 6 Vi(.A) and whenever (s,/, a) £ A, there is (1,0, c) £ C[ such that 
e.f Ihi 0(a, c). 

Let C = C'o U C( , and let C be the closure of C under all automorphisms 
in G. Note that C £ V^ r (^4) and this set together with the usual realizer from 
[T6] is enough to show the soundness of collection. 

Extensionality One can check that the realizers for the formula 

((Vx £ a)x £ b) A ((Vx £ b)x £ a) 

in fact are already realizers for a = b, so we can use the identity to show 
extensionality (in this form). 
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G-Induction Suppose that 



elh (Vy)((Vx G y)<P(x) 0(y)) 

Let e' = (Xx,y).e.x and let / be given by the fixed point theorem so that 
for all g 

f.g " e'J.g 

Note that we know 

elh (Vy)((Vx G y)<j>{x) -> (j>{y)) 

and so by the usual proof we have that for all a G Vi(^4), and all j £ ^. 
/.<7 II— i 0(a). We claim that for all a G y o r (^l), and all g G *4, /.<? J, and 
/■ff II— o 0(a). 

So suppose that a G V<f(A). Then for every (0,5,6) G a, we know by 
induction in the background universe (since b must be partly symmetric and 
of strictly lower rank than a) that f.g 4- and f.g I ho 0(6)- We also know from 
the above that / I hi (Va; G a)0(x). Hence / I ho (Vx G a)<f>{x). Thus we have 
for any g € A, e' fg ~ e/ (is defined and) realizes 0(a). But e'/<? ~ fg and so 
/.<7 Iho 0(a) as required. 

□ 

Remark 3.17. Note that when we proved the axiom of infinity we used the 
same standard representation U as for V{A). Note further that if f G A is such 
that for all n G u> there is m G ui with fn — m, then the f from section \1.5\ is 
completely symmetric and hence we have the same standard representations of 
the naturals and Baire space as we did before. 

4 The Model V^(A) 

We say that a G V(A) is injectively presented if for any (e, b), (e', b') G a, if 
e = e' then b = b'. 

Define Vjj lp (^l) inductively as follows 

{X C |.A| x V^(A) a I X is injectively presented} 

U v?We 
U 

QSOn 

We define realizability on Vq 1P (./1) as follows. We write II— x for realizability at 
V(A). 



V^(A) a+1 = 
V^(A) X = 

V*(A) = 
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e Iho a G 6 


iff 


(3((e) ,c) G 6)(e)i lh a = c 


e Iho a = b 


iff 


(V(/, c) G a)(e) ./ Ih c e 6 A V(/, c) G 6 (e)i/ lh c e a 


e\\~o <fi Aip 


iff 


(e) lh M(e)i lh V 


elh 0V*0 


iff 


((e) = A (e)i lh <P) V ((e) = 1 A (e)i lh V) 


e lh <p — > tp 


iff 


/ Iho </> implies e./ Iho "0 and e Ihi — > %p 


e Iho (3a; £ a)0(x) 


iff 


(3((e) 0) 6>eo)(e)i lh 0(6) 


e lh (Va; G a)0(a;) 


iff 


(V(/,6))e./lh 0(6) and 


e Iho (3a;)0(a;) 


iff 


(3a G Vo ip (»4))e lh 0(a) 


e lh (Vx)0(x) 


iff 


(Va G F ip (^)) e lh o 0(a) A (Va e V{A))e H 0(a) 


e lh -|0 


iff 


1/ / lb 



We write Vq IP (.4) |= to mean that there is some e G A such that e lh 0. 

Remark 4.1. TTws is a much simpler embedding than that o/VQ r („4). We have 
not needed to alter the definition of realizability for bounded universal quantifica- 
tion and equality in order to ensure realizability is preserved. Hence, realizability 
for bounded formulae is identical in Vq IP (^4) and V(A). 

Proposition 4.2. Vq 1P („4) is sound with respect to the intuitionistic predicate 
calculus and axioms of equality. 

Proof. This follows by exactly the same proof as for Vq{A). □ 

It remains to check that when we show the soundness of the axioms of 
CZF, we can assume the sets we construct are injectively presented. Since we 
will require choice in the background universe for this proof, we work over a 
background universe of ZFC. 

Theorem 4.3. V^j p („4) is sound with respect to the axioms of CZF. 
Extensionality This is the same as for V(A). 

Bounded Separation Given A G Vo ip („4) and a bounded formula, 0, consider 
the set 

S = {(pef, a) | (e, a) G A, f lh 0(a)} 

Note that this is injectively presented, since A is, and since realizability for 
bounded formulae is identical in Vq 1P („4) and V(A), we can see that this can be 
used to show the soundness of bounded separation. 
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Pair Given a, & G V(A), consider 

P={<0,a),<l,&)} 

This is clearly injectively presented, and we can easily use this to show the 
soundness of pair. 

Strong Collection Suppose that 

elh (VxG A)(3y)<f>(x,y) 

For each (/, a) G A, we can assume by choice in the background universe that 
we have chosen a c/ G Vq 1P („4) such that e.f h (j){a,Cf) (and hence also e.f Ihi 
<f>(a,c f )). 
Let 

C = {(f,c f )\(f,a)GA} 

This is clearly injectively presented (since A is). 
Note that 

(Xx).px(e.x) 1 1- (Vx G A)(3y G C)<j>(x,y) 
and in fact we can use exactly the same realizer again in 

(Xx).px(e.x) lh (Vy G C)(3x G A)<j>(x,y) 

(since every element of C is of the form (/, c/) where (/, x) G A and e./ Ih 
(p(x,Cf)). So we get soundness for strong collection. 

Subset Collection Suppose we are given sets A,B G Vq 1P (^1). Suppose fur- 
ther that e G A is such that for all (/, a) G A, e./ I and there is (e./, b) e B for 
some 6. In this case we can define 

e :={(/, b) | 3a(f, a) € A, (e.f,b)eB} 

(Clearly e G V ip (^)). 
Now let 

D := {(e,e) | e £ A,e is defined} 

Clearly Z) G V^ ip (^l.). We shall show that we can use D to show the soundness 
of subset collection. 

Suppose that u G V(A) is such that 

elh (Vx G A)(3y G B)<j>{x,y,u) 

Let 

e' := (Ax).(ex)o 

Note that for every (/, a) G A, we have e'.f I and there is (a unique) b with 
(e'.f,b) G -B, and so (e',e') G -D. Furthermore (e./)i Ihi (f>(a,b,u), and so we 
can find a realizer for 

(Vx G A)(3j/ G ~e!)4>{x, y, u) A (Vy G ^)(3x G A)^(x, y, u) 
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We can do exactly same if 

elh (Vx e A)(3y g B)<j>(x,y,u) 
Hence this does give a proof of the soundness of subset collection. 

Union Suppose we have been given A g VJj ip (.A). We want to find an injec- 
tively presented set that we can use to show the union axiom. So let 

U = {(pe/,c) | </,&) g a, (e,c)eb} 

Then we see that 

(Xx,y)(p(pyx)i r ) lh (Va; g o)(Vy £ x)y e U 

Infinity We note that the ZJ given in section [I~5l is injectively presented, and 
since no other sets need to be constructed in the proof of infinity, this means 
we can use the same proof as usual here (see eg [22]). 

G-Induction The same proof as for Vq(A) still holds here. □ 

5 The Pea T 
5.1 Definition 

We will define a term model based on combinatory logic. This is similar to the 
model NT that appears in chapter 6 of [3]. 

We start by adding constants and Cf to the language of combinatory logic. 

Definition 5.1. The set, C of terms is defined inductively as follows 

1. constants s and k are terms 

2. free variables Xi for each i£w are terms 

3. for each i > 0, the constant £j is a term (we will call these atoms) 

4. for each bijection F : w >0 — > w>oi the constant £p is a term 

5. if L and M are terms then L.M is a term 

We will consider C as a term rewriting system. We have in particular the 
two standard reduction rules 

sxyz — >• xz(yz) 
kxy — > x 



25 



In addition to these, we add a new reduction rule. In the below let n be n 
encoded using s and k in the usual way. Then we define ^-reduction as follows: 

(pt — > n 

where t is a closed term and n is either maximal such that n = F(m) where £ m 
occurs in t or n — and no £ m occurs in t. 

Note that this term rewriting system is ambiguous. That is, there are 
terms that can be reduced in two incompatible ways. For example, the term 
C(Ax).x(kk£i) can reduce either to 1 or to depending on whether the subterm 
kk£i is reduced before or after (^-reduction. However, we still have a notion of 
normal form (when no reduction rule can be applied to a term) and leftmost 
innermost reduction, as defined below. 

Definition 5.2. We define a sequence of partial operators, RED„ for each n as 
follows: 

For n = 0, define RED as follows: 

1. if t is a normal form, REDo(t) = t 

2. for t = krs where r and s are normal forms, REDo(krs) = r 

3. for t — Qpf where r is a normal form, REDo(Cf^) = n where n is maximal 
such that ^F-!(n) occurs in r or if no & occurs in r 

If RED„ has been already been defined, then we define RED„ + i as follows: 

1. if RED„(» I, then RED„+i(i) = RED„(i) 

2. for t = srsu, where r, s, and u are normal forms, RED„ +1 (srsu) ~ 
RED„ (RED n (ru) RED„ (su)) 

3. if t — rs and neither of previous cases apply, then 

RED„ +1 (rs) ~ RED„(RED n (r) RED„(s)) 

We then define RED as 

RED = (J RED„ 

Note that if RED(t) is defined, then it is a normal form. 
We now define our pea, T 

Definition 5.3. Let T be the set of normal forms of C together with the fol- 
lowing application: 

s.t := RED(s.t) 
(undefined if RED(s.i) is undefined) 
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Note that since this is a pea we can consider the notion of terms over T 
(ie definition 11.121) as well as terms in the sense of definition 15.11 Fortunately 
we are free to switch between thinking of terms and terms over T by the fol- 
lowing proposition. (Note that this proposition is a characteristic of inside first 
reduction and is not shared by some similar structures: see Remark 6.1.4 in [5].) 

Proposition 5.4. Suppose that t is a closed term over T (in the sense of defi- 
nition al. 12\) and write t* for the corresponding term (in the sense of definition 
\5.1\ l. Then RED(i*) is defined if and only if t denotes, and in this case we have 

RED(i*) = t 

Proof. This essentially appears as parts (i) and (ii) of lemma 6.1.1 in chapter 6 
of [3J. We simply note that the proof still holds in this setting where we also 
have ^-reduction. □ 

Proposition 5.5. T is a pea. 

Proof. Note firstly that s and k are normal terms and hence elements of T . 

If r and s are normal forms, then so are kr and srs. Hence kr J,, sr and 
srs I. Also RED(krs) = r, so krs = r. 

It remains only to check that for all r,s,t, srst ~ rt(st). However this is 
clear from the definition. (In fact the left hand side is defined at stage n + 1 if 
and only if the right hand side is defined at stage n.) □ 

5.2 Preservation of Atoms 

The non trivial structure of Vq(T) will rely on the £i, and the rich supply of 
automorphisms arising from permutations of them. We will want to ensure 
therefore that under suitable conditions the atoms aren't eliminated by the 
realizability structure. In this section, we will aim towards a lemma that will 
enable us to show this. 

Definition 5.6. For any pea, A, one may consider the following classes of 
elements 

1. / G A is type 1 if for every n G f.n .J,, and there is some m G lo such 
that f.n = m 

2. e G A is type 2 if for every type 1 /, e.f 4- and e.f is type 1 

3. e G A is a type 2 identity if it is type 2 and for all / type 1 and for all 
n G ui, efn = fn 

We will now show that being able to decide whether a term is defined or not 
is equivalent to the halting problem. 

Proposition 5.7. Suppose that t(x) — t\(x)ti,(x) , I G u), and r is a normal 
form. IfREDi((\x).t(x)r) I, then I > and RED ; _i(i(r)) |. 
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Proof. Note that from the definition of lambda terms over a pea (see [3] or |27j ) 
we know that 

(Xx).t(x) := s((Xx).t 1 (x))((Xx).t 2 (x)) 

Note firstly that {\x).t{x)r = s{Xx) .t\{x)(Xx) .t 2 {x)r and hence we can only 
have KEDi((Xx).t(x)r) J, for I > 0. Furthermore, 

KEDi{s{Xx).t 1 (x){Xx).t 2 {x)r) ~ 

REDi^ 1 (REDi^ 1 ((Xx).t 1 (x)r)REDi^ 1 ((Xx).t 2 (x)r)) 

Since we are assuming that RED;((Ax).t(x)r) -J,, we know in particular that 
RED;_i((Ax)ii(a;)r) | and KEDi-i((Xx).t2(x)r) J., and hence 

RED i _ 1 (RED i _ 1 ((Ax)ii(a;)r)RED ; _ 1 ((Ax)i 2 (a;)r)) = RED I _ 1 (t 1 (r)t 2 (r)) 

= RED,_i(t(r)) 

and in particular RED; _i(t(r) ) J,. □ 

Proposition 5.8. For any m, n G w, </iere is a closed normal form t m and a 
normal form t' m {x) with free variable x such that for all r G T 

1. RED(i m r) \. if and only if the mth Turing machine halts on input m, and 
if this occurs RED(£ m r) = I (I := skk) 

2. HED(t' m ((^F)r) i if and only if the mth Turing machine halts on input m, 
and if this occurs KED(t m ((p)r) = F(n) 

3. t rn contains no £j and t' m contains ^ for i — n only 

Proof. By representability of computable functions in peas (see eg [27] or [3]), 
one can construct u m such that for every k G u, and every v G T 




k/ if the m Turing machine halts by stage k 

(Xz).(z k + 1 ) if the m th Turing machine does not halt by stage k 



Then, following the construction in the fixed point theorem, 

w := (Xx).((Xy).u m y(xx)) 
v := ww 

= {^y)-u m y{ww) 
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Then if the mth Turing machine halts at stage k, 

vO ~ u m O(ww) 

— u m Ov 

~ vl 

~ u m k{ww) 

~ (k/)(to«;) 

~ J 



In particular vO 4- 

Now suppose that the mth Turing machine never halts. We show by induc- 
tion on / that for all I € u) and for all k 6 ui, 

RED; (vfc) | 

Assume that for all k € u> and for all I' < I the statement above holds and 
assume for a contradiction that RED; (vk) J,. Note that 

RED; (wfc) = REDi{{{Xy).u m y(ww))k) 

and so by proposition 15. 71 we know in particular that RED/_i(w„ l fc(u'w)) 4- 
But in this case 

BEDi-xiumMww)) = RED / _ 2 (RED(_ 2 (u m fc)RED / _ 2 (ww)) 
= RED;_ 2 ((Az).(z fc + l )v) 
= KED^ 3 {vk±V) 

and so in particular RED;_3(i> fc + 1 ) 4- giving a contradiction as required. 

Finally, let t m — s(ku)(kO). Then, for all r, t rn r ~ vO, by the basic properties 
of s and k 

For parts 2 and 3, let t m be as above and let t' m (x) — s(st m (kx))(k^ ra ). Note 
that part 2 follows from the basic properties of s and k and that part 3 is clear 
from the definition of t m . □ 

Lemma 5.9 (Preservation of Atoms). Let e be a type 2 identity in T . Then 
for any n, there is some type 1 f in T such that RED(e./) contains the atom 
£ n as a subterm and furthermore, only contains such that i = n. 

Proof. We assume that this is not the case and derive a contradiction. 

We will define a (computable) family f m {x) of normal forms with one free 
variable such that for each F, f m ((F) is type 1 in T. 
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Let g m £ T be such that for all I G ui, g m l = k(kO) if the mth Turing 
machine with input m has not halted by stage I and g m l = I if the mth Turing 
machine has halted by stage I. We can do this using the representability of 
primitive recursive functions in peas.. 

Then let t' m be as in proposition 15.81 Define 

f m (x) := s(sg m (kt' m (x)))I 

Note that this is in normal form, and that if the mth Turing machine has not 
halted by stage I then for any (p 

RED(/ to (Cf){) si RED(RED((s. 9m (kC(CF)))IK) 
~ RED (RED (RED (g m L)Kn (Cf ) )I) 
~ RED(RED(k(kO)4(CF))I) 
~ RED(kOZ) 
~ 

In particular, see that f m (CF)l i even if the mth Turing machine never halts on 
input m. If the mth Turing machine on input m has halted by stage I, then 

RED(/ m (C F )l) ~ RED(RED((s. 9m (kC(C F ))KK) 
~ RED (RED (RED (g m Vjt' m (Cf ) ){) 

~ red(red(/C(Cf))I) 
~ red(4(Cf)I) 

~ F(n) 



Hence for any m G oj and any f m (CF) is type 1 in the sense we defined 
earlier. 

We therefore know that e..f m (C,f) ~ RED(e./ m (CF)) 4- an d by hypothesis 
RED(e./) cannot contain £„. For convenience, in the below we will assume that 
F is chosen such that £f does not occur anywhere in e. 

Note that we can carry out an algorithm to find RED(e./ m (^F)) from m. 
(Only finitely many £j's and Cg's occur in e and f m {C,F), so we can give these 
terms Godel numbers and the C-rule does not cause a problem here because we 
only need to know G{k) where £g occurs in e or G — F and £fc occurs in e or 
k = n and this is only finitely much information). 

Furthermore, note that when we carry out this algorithm we can check 
whether or not we ever need to evaluate RED(^(^f)'*) for some r. If we 
did need to evaluate this, then in particular RF,D(t' m ((F)r) i and so the mth 
Turing machine must halt on input m. On the other hand, if we did not need 
to evaluate KED(t' m ((p)r) , then was never used in the £-rule because it only 
ever occurs as a subterm of the normal form t' m {C,p). Furthermore, by hypoth- 
esis t' m ((p) cannot occur as a subterm of RED(c/ to (Cf))) because otherwise 
e./ m (CF) would contain £ n . 
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Hence if we choose F' such that F'(n) ^ F(n) then 

KED(e./ ro (C*0) = RED(e./ ro (<») 

But note that this means and f m ((F') must have the same value on 

every I. This can only happen if they are both identically zero and hence the 
mth Turing machine does not halt on input m. 

Therefore we could use such an algorithm to solve the halting problem and 
we derive our contradiction. □ 



5.3 Automorphisms of T 

Suppose that 7r : w>o — > uj>q is a permutation. Then tt induces an automor- 
phism a : T — > T as follows. 



1. 






2. 


a(( F ) 


— Cfott 


3. 


a(s) = 


- S 


4. 


a(k) = 


= k 


5. 


a(s.t) 


= a(s)( 



Note that we have chosen the action of a on the Cf so that it is compat- 
ible with the C-rale and the action of a on the £„. a is clearly therefore an 
automorphism of T. 

6 A Useful Lemma 

Before we move onto the proof itself, we prove a lemma that is true in general 
for any pea A. Informally, what this says is the property of being injectively 
presented can be inherited "up to realizability" across sets that are realizably 
equal. 

Lemma 6.1. There is some e E A such that for any a, b G V{A), if f £ A is 
such that f lh a = b and a is injectively presented, and if (<?, c), (g, d) G b, then 

efg lh c = c' 

Proof. Since / lh a = b, there must be (((f)ig)o,d), {((f)ig)o,d') £ a such that 

((/)i5)i 1^ c = d 
((/)iff)i ^ c' = d' 

Since a is injectively presented, we know in fact that d = d! and so 
it((/)i<?)i(i s ((/)i<7)i) lh c = c' 
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Hence we can take 

e := (Xx,y).i t ((x) 1 y) 1 (i s ((x) 1 y) 1 ) 



□ 

7 Failure of the Existence Property 

We will show that the existence property fails for CZF in the following instance. 
Theorem 7.1. There is no formula with one free variable x( x ) such that 

CZF h (3lx) X (x) 

and 

CZF h X {x) -^xC mv(N N ,N) A (Vi? G mv(N N , N))(35 e x)S C R 

This will immediately give the following corollary. 

Corollary 7.2. CZF does not have wEP. 

Proof. We know that 

CZF h (3x)(x C mv(N N ,N) A (Vi? £ mv(N N , N))(35 £ x)S C i?) 

Suppose that there is some - 0( a; ) such that 

CZF A (3!a;)^(a;) 

CZF A (Vx)ip(x) (3z)z e x 

CZF A (Vx)^»(aj) (Vz G .x) 

(z C mv(N N ,N) A (Vi? G mv(N N ,N))(35 G z)S* C i?) 

Then by taking x( w ) to be \/x^{x) — ¥ w — (J x, we would get 

CZF A (3!w)xH 

and 

CZF A xH -y iy C mv(N N ,N) A (Vi? G mv(N N ,N))(35 G w)S C i? 
contradicting the theorem. □ 

Proof of theorem 17.11 Assume that there is such a xO^)- 

Let T be the pea from section [5] and let G be the group of all automorphisms 
obtained from permutations of u>, as in section T5. 31 Let V be the normal filter 
generated by {Stabc(£n) | n G uj}. Hence if G acts on some class X, then for 
x G X, Stabc(x) G T means that x "has finite support relative to the 
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By the soundness theorems, there must be C lp £ Vq P (T) and C r £ Vq(T) 
such that 

F r (T) h x(C r ) 

Hence we must have that 

V(T) h x(C ip ) A X (C r ) 

and so 

7(71 (= C ip = cr 

This allows to apply lemma 16.11 and deduce that there is some eo such that 
for any (/, c), (/, c') £ C r , 

eo-/ 1 1 — i c = c' 

In fact this is the only point where we need C lp and we can now derive a 
contradiction by examining C r carefully. 

Recall that we can assume that the elements of N N are of the form (/, /) as 
described in section IT31 

Write Ci for C(Ax).a an d for each AT, construct Rn £ Vq(T), 

R N :={(0,/,(7,n)) | / is type 1, n < N, n = £if} U 

{(0, /, (7,n)) | / is type 1, n > N, Cif > N} 

(where we write (, ) for Vq (T)^ internal notion of ordered pairs) 
Lemma 7.3. We have constructed these Rn so that the following hold: 

1. R N e Vq(T). In fact fl^i Stab G (6) C Stab G (i?Ar). 

2. There is some ei 6 T such that for all N, ei \\-% R N £ mv(N N , N). 

3. Suppose that (/, a) £ Rn and £j occurs in f only ifi<N. Then a — (/, n) 
where n = £1/ (and n < N). 

Proof. For 1, note that each set in the binary union in the definition of Rn is 
preserved by elements of f] i=1 Stabc(Ci)- 

For 2, note that each Rn can be "represented" by Cl- This can clearly be 
used to produce a realizer that these are multi valued functions. 

Part 3 is clear from the definition. □ 

We will aim for our contradiction by first showing a lemma stating that any 
automorphism satisfying certain properties has to be the identity. This will use 
the key lemma from section [5?2l as well as the basic properties of Rn- We will 
then construct a non trivial automorphism satisfying these conditions. In this 
lemma we work over V(T) rather than V£(A). 
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Lemma 7.4. Suppose that a G V{T), N < N' G N, and e,fET are such that 

1. For any £j occurring in e or f , i < N 

2. nti Stab cte) CStab G (a) 

3. e Ihi (Vx G a)x G ifo' 

4. f lh (Vx G N N )(3y G a) (32 G N)y = (x, z) 

Then, whenever a G G /ixes £j /or i < N and i > N' , a must also fix /or 
N < i < N' and hence a must be the identity. 

Proof. We first check that (Ax).(e(/x)o)o is a type 2 identity. 

Let g be type 1. Then (g, g) G N N . Therefore there is b such that ((fg)o, b) G 
a and lh x (3z G N)6 = (ff, z). 

Let /i := (e(/g)o)o- Then we know that there is some c such that (h, c) G i?^r, 
and (e(/g)o)i lh 6 = c. By the basic properties of R^, we know that c must be 
of the form (h,fn) for some to G N. From above we know that V(T) |= (3z G 
cj)6 = (g, z) and V(T) |= 6 = (h,m), so we deduce that V(T) ^g = h. Hence 
g and h must have the same graphs as type 1 elements, and so (Ax).(e(/x)o)o 
is a type 2 identity as required. 

Now let a G G fix £j for i < N and i > N'. Suppose for a contradiction that 
there is some n with N < n < N' such that a(£ n ) 7^ £„. 

By applying lemma [5791 we can find a first order g such that g only contains 
£i for i — n and such that £ n does occur in (e(/g)o)o- Let 6, /i, and c be as 
above, but for this particular g. 

Since e and / only contain £j for i < N, we know that /i can only contain 
for i < N or i = n. Since we have guaranteed that /i does contain £„, we know 
that Qih = n. In particular n < N', so we know from the definition of R^, that 
c must be of the form (h,n). 

Since a fixes £j for i < N we know from our assumptions that a also fixes 
a. Therefore, since ((fg)o,b) G a we must also have (a((fg)o,a(b)} G a. Hence 
if h' :— (ect((fg)o))o we know that there is some d with (h',d) G R%, and 
V(T) h <*(&) = c'. 

Since a fixes for i < N we know that ^ can only occur in e and a(f) for 
i < N. Since a fixes for i > TV', we know that a(£n) must be amongst £j for 
i < iV'. Hence h! only contains £j for i < N'. Furthermore neither a(f) nor 
a (g) contains and from the assumption that a(£ n ) 7^ £n we a l so know that 
does not occur in a(g). Hence ^h' = to for some m < N' with m ^ n. Again 
from the definition of R%i, we know therefore that d is of the form (h',m). 

But then since V(T) \= b = (h,n), we have that V(T) \= a(b) = (a(h) , a(n)) . 
Together with V(T) (= a(b) = (h',fn) this gives V(T) (= a(n) = to. In fact 
a(n) = n, so V(7~) f= n = m. But this is a contradiction since to ^ n. 

□ 
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Since wc know V r (T) |= (Vs £ mv(N N , N))(3y £ C)(y C xAy £ mv(N N ,N)), 
there must be /, e2, e3 £ 7" and c„ such that for all n, 

(0,/,c„) £ C 

e 2 Ir-Q (Vac £ c„)(a; £ i?„) 

e 3 IhJ (V.T£N N )(3 2/ £c, i )(3z£N)y=(x,z) 

In particular we know that for all n, StabG(c„) £ T and hence by proposition 
13.51 Stab<g(c°) £ r. From now on we will work entirely over V(J~). 
Recall that we chose eo so that for all m and n, 

eof\\-i c° n = c° 

and so by substitution we can use eo/ and e 2 to construct e 4 such that for all 
m and n 

e 4 II — i (Va; £ c°Ja; £ i?° 

Now let TV be large enough such that the list £i , . . . , £jv includes any £ n in a 
support of Cq, or appearing in eo, eie2, e3 or e 4 . 
Let iV' = N + 2. 
Note that we have 

e 4 ll-i (Va: £ c°)x £ i?^, 

Let a be the automorphism that swaps round ^at+i and £jv+2, fixing every- 
thing else. Then we know that a fixes & for i < N (and hence also fixes Cq and 
any £j occurring in e3 and e 4 ) and fixes ^ for i > N' . However, clearly a does 
not fix £/v+i- Hence we can finally get a contradiction by applying lemma [7^1 

□ 

8 Conclusion 

8.1 What the failure of EP means 

We have shown that CZF does not have EP, or indeed even wEP. Since EP was 
described in the introduction as a property to be expected from constructive 
formal theories, one might ask if its failure indicates some weakness in CZF as 
a constructive theory. The short answer is no: CZF is still a sound foundation 
for constructive mathematics. 

The main theorem of this paper shows essentially that CZF asserts the ex- 
istence of mathematical objects that it does not know how to construct. How- 
ever, CZF does have natural interpretations in which these objects can be 
constructed. One example is Aczel's original interpretation of CZF into type 
theory in pQ. Here, the sets asserted in the fullness axiom are sets of those 
multivalued relations that arise from elements of a particular exponential type. 
Another (related) interpretation is Rathjen's "formulas as classes" in [21], in 
which CZF is interpreted into CZF^. In this example the full sets appear as 
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exponentials in the background universe. In |25j Rathjen and Tupailo showed 
using these techniques that CZF with a choice principle IIS AC has a form 
of the existence property. 



8.2 Further Work 

In this paper we used the axioms of ZFC in several places, with what appears to 
be an essential use of choice in the soundness of strong collection in Vq P (A) . This 
means that the final result of the paper was only proved on the assumption that 
ZFC is consistent. We conjecture that in fact this assumption is unwarranted 
and with a more sophisticated construction the result can shown only on the 
assumption that CZF is consistent. 

Choice principles tend to fail in V r („4) (in fact one can check that countable 
choice fails in Vq(T)), so it remains open whether CZF together with particular 
choice principles have EP. 
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